Defending the Enterprise Perimeter

Perimeter defense is a challenge to enterprises because systems outside increasingly need authorized access to critical servers inside. Businesses need to provide access to partners and customers to real-time information about the state of products and services being configured or delivered. Further, end client systems are increasingly mobile or remote. This means that security at the perimeter as well as on client systems is a critical priority.

Security practitioners must closely review the type of information people from the outside are authorized to access and design an infrastructure that delivers “secure” access to all such information. This article examines security tiers within enterprises, threats to be familiar with and key components to make the organization more secure. It also looks at vendor solutions that are increasingly integrating multiple capabilities in a single box at the perimeter and on end-user client systems as well.

Security Tiers Enterprises today have to secure three tiers of the network: perimeter systems, server systems and client systems. The systems at the perimeter include routers, firewalls, Web servers and other Internet-facing devices configured on the network. These systems are on the “edge” of the network. The crown jewels of businesses today are their server systems—these include file servers, database servers and application servers. They store the critical data and form the “core” of the network. End-user systems may connect to the infrastructure from the inside or the outside, which is what makes this “edge” of the network so challenging to secure.

The Threat There are several threats that need to be addressed as security practitioners design the security architecture. These threats include denial-of-service (DoS) attacks, malicious code attacks, unauthorized access and blended threats.

DoS attacks can disable one system or an entire network. Their purpose is to disrupt the use of a service or business operation provided by a system or network. Either may be flooded, or connections between systems may be disrupted.

Malicious code attacks may damage or compromise a system or a network. In this case, viruses, worms or Trojan horses may be used to self-replicate or self-propagate and spread to other users on the network.

Attackers may be outside or inside an organization. They might include a disgruntled employee, a contractor or a funded attacker from the outside. They might access end-user accounts or privileged accounts that may be not be very secure. Consider the case of a firewall system or a router on the perimeter whose password is still the default set at the time of the installation.

Blended threats combine the characteristics of viruses, worms and Trojan horses. Nimda and CodeRed are examples of blended threats. These attacks are highly disruptive and spread quickly within organizations, typically resulting in widespread damage. These attacks can have an impact in the following areas:

Getting Started: Risk Assessment The first step is to conduct a risk assessment. This implies that the organization must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of sensitive information and vital assets. The risk assessment will identify the “gaps” in the perimeter security. These are gaps that must be “closed and locked” to prevent attackers from exploiting them to threaten the assets on the infrastructure. Examples of gaps discovered during the risk analysis may include the use of SNMP community strings on the firewall system or perimeter router with authentication set to default. These can easily be exploited by hackers and could substantially compromise the security of the business.

The information gained from a risk assessment is useful in tailoring security policies to address perimeter security technologies such as firewall systems. This provides the basis for rules and filters to be configured on the system.

While firewalls control network traffic through the use of filters or rules, intrusion detection systems generate alerts and reports about unauthorized access. This information is very useful for planning further ways to strengthen the perimeter. VPNs secure connections from outside the perimeter, which makes it much safer to connect beyond the enterprise to systems over the Internet. Content filtering eliminates unwanted traffic, while protection from malicious code capability prevents attacks from viruses, worms and Trojan horses.

Integrated security provides the foundation—the framework to centrally manage network tiers and deployed security systems. An integrated security strategy must be considered carefully by security practitioners to improve the security posture of the infrastructure and the organization. Lack of integration typically leads to interoperability issues, patch inconsistencies and a higher cost of ownership. Sometimes, as in this instance, less is better.

Case Study: Symantec’s Solutions Examples of vendor solutions for perimeter defense include Symantec’s Gateway Security Appliance 5400 Series and its Client Security products. Other vendors that compete in this space include Check Point, Cisco and Internet Security Systems, to name a few.

The Symantec Gateway Security Appliance 5400 Series product is designed to secure the corporate network infrastructure from the Internet. It integrates the following capabilities:

Firewall technology

IPSec VPN

Intrusion detection

Intrusion prevention

Virus protection

URL-based content filtering

Anti-spam

Hardware-assisted high-speed encryption

This simplifies the task of managing the perimeter because it centralizes key functions such as logging, alerting, reporting and policy configuration management. The management interface is Web-based. All communication is secure, as it takes place over Secure Sockets Layer (SSL).

Symantec Client Security is designed for threat protection through integrated firewall, VPN, anti-virus and intrusion detection capabilities for remote, networked and mobile client systems. Client Security from Symantec includes the capability to recognize unwanted spyware and adware, and minimizes the number of pop-ups that the end user sees. It is important for security practitioners to secure both the perimeter and the client systems because client systems are increasingly mobile and typically access the enterprise from outside the perimeter.

Summary Targeted attacks on firewalls, routers and other security devices are a growing security concern. Security practitioners need to centralize and secure the entry and exit points to the Internet. All systems on the perimeter must be hardened and their log files reviewed on a regular basis to check for unauthorized activity. To the extent possible, strong authentication should be required on all systems on the perimeter. Security practitioners must pay particular attention to the area of patch